Thursday, October 13, 2011

U.S. Air Force Demonstrates How NOT to Report a Malware Attack

I just ended a phone call with Air Force Space Command Public Affairs after reading their press release "Flying operations of remotely piloted aircraft unaffected by malware". I figured that since the malware was "found routinely on computer networks and is considered more of a nuisance than an operational threat" that there would be no problem in telling me the name of the malware involved.

That didn't happen, which is too bad because the press release has some confusing language in it and conflicts with unnamed Air Force sources quoted in the two earlier Wired articles (here and here). For example, the release makes a distinction between a "credential stealer" and a "keylogger". Well, that's a distinction without a difference. What we're really talking about is a trojan that steals credentials by logging key strokes. Zeus and SpyEye are two of the largest but there are lots of trojans out there. Here's one I found on a game forum: "Trojan.KillAV.RS Steals Gamers’ Login Credentials". The other important fact to know about trojans or "credential stealers" as the Air Force likes to call them, is that they transmit their stolen credentials out to a Command & Control site. The Air Force PR statement said that their particular credential stealer wasn't designed to transmit data or video. Video? No. Data? Absolutely. That's the entire point of the malware - to capture data and send it back to the C&C.

I think that what happened here is that the Air Force is focusing on what the malware isn't instead of what it is. It's not designed to take over the controls of a remotely piloted aircraft. It is, however, designed to steal data. If the Air Force wants to put this to bed and stop the speculation, here are two tips for future briefings:

Have an engineer from the 24th Air Force write the press release so that the language is precise and accurate.

Name the malware.

The only thing that your current press release did was raise more questions.